BIRMINGHAM – December 7, is a good day to re-think the implications of a “cyber Pearl Harbor.” Leon Panetta, famously used the term in 2011, when it seemed like all of our generals had become cyber experts overnight.
“The potential for the next Pearl Harbor could very well be a cyber-attack,” the CIA Director testified before the House Permanent Select Committee on Intelligence.
At the time Keith Alexander was in the midst of standing up US Cyber Command which achieved operational readiness on October 31, 2010 months before Panetta’s statement.
Panetta, and just about anyone else inside the Beltway uses the term Cyber Pearl Harbor to imply a disabling attack on critical infrastructure. Yes, our power grid, communications, and traffic lights, are very poorly protected from hackers. Yes, an attack similar to that in Ukraine over Christmas 2015 would not be difficult to achieve. But would it be strategic? What purpose would it serve a foreign government to shut down the power in the United States? Would China want to damage the economy of its biggest market? Would Russia risk the blow back? Perhaps Iran or DPRK would figure they had nothing to lose?
Regardless, an attack on critical infrastructure is something for the Department of Homeland Security to worry about. The DoD has bigger worries.
Back before the wars in Afghanistan and Iraq, before military thinkers and policymakers became obsessed with counterinsurgency, the idea of the day was the Revolution in Military Affairs, or RMA, a doctrine that emphasized modern information, technology and communications. It was sparked by Soviet analysis of the West’s move towards more reliance on precision targeting and coordination as demonstrated in Operation Desert Storm.
The reclusive and enigmatic “Yoda” of the Pentagon, Andrew Marshall, was pouring through Russian language journals and presumably secret communiques. He was intrigued by the Soviet identification of a “Military Technical Revolution.” Europe throughout the Cold War occupied the center of the chessboard. On one hand, grand strategy revolved around a massive preemptive blitz of tanks and troops supported by air and even tactical nuclear weapons, emanating from the Soviet bloc, and on the other hand, arms buildup and nuclear deterrence from the West.
When Russian and Chinese thinkers witnessed an actual invasion using massed weapons and troops, supported by air and stand-off cruise missiles, as a U.S.-led coalition easily pushed Iraqi forces from Kuwait, they believed they saw the future of modern warfare. A combination of precision-guided weapons, networked intelligence, surveillance, and reconnaissance (ISR), and modern command and control would be a force multiplier while eliminating the fog of war.
Arthur Cebrowski was the chief proponent of the new Network-Centric Warfare (NCW). His 1998 paper, Network-Centric Warfare: Its Origin and Future Proceedings, written while he was still director for Space, Information Warfare, and Command and Control, is imbued with the excitement of the halcyon days of the internet boom. Reading it today, one is struck by the enthusiasm for networking that was the dot-com boom:
“We are in the midst of a revolution in military affairs (RMA) unlike any seen since the Napoleonic Age, when France transformed warfare with the concept of levée en masse. Chief of Naval Operations Admiral Jay Johnson has called it ‘a fundamental shift from what we call platform-centric warfare to something we call network-centric warfare’, and it will prove to be the most important RMA in the past 200 years.”
In his Pentagon briefing upon taking the director of Force Transformation role, Cebrowski said: “If you are not interoperable, you are not on the net. You are not benefiting from the information age.” Cebrowski was the Scott McNealy of the Pentagon.
When modernized militaries next engage in combat, expect a debilitating cyber-attack giving the adversary an asymmetric advantage. The move to Network-centric warfighting by the U.S. military set the stage for an inevitable Cyber Pearl Harbor.
The tenets of NCW, once again, are: Eliminating the fog of war through a sensor grid, and a combination of precision-guided weapons, ISR, and command and control. The U.S. military, and other militaries around the world on both sides, were late to the computer and networking game (now dubbed “cyber”) but determined to catch up. A global information grid was sketched out. Satellites for reconnaissance and communication were launched. Precision GPS systems deployed. Drones for ISR and weapons delivery to targets were built in ever increasing numbers. A high altitude drone, the Global Hawk, was deployed not only to replace the 50s vintage U2 platform but to add a layer to the ISR and command and control from land, sea, and air systems.
But, while weapons systems were being networked, the operational networks of the Pentagon crawled along at a pace much slower than in the commercial space. Transformation encompassed putting PCs on every general’s desk and empowering operations and planning personnel with PowerPoint tools. By 2008 most enterprises had already discovered and addressed the disruptive nature of “being networked.” Viruses spread by floppy disks and then the internet, were addressed with anti-virus software. Worms such as Code Red, SQL Slammer, and Nimda, had had their impact. Firewalls were locked down to “deny all except that which is explicitly allowed.” Intrusion Prevention was deployed to block worms and network-based attacks. To avoid data loss, end-point controls were established to block the use of unauthorized USB devices. Vulnerability and patch management systems were almost universally deployed.
The Pentagon had its wake-up call, according to William Lynn, then Assistant Secretary of Defense for Cyber, in 2008 when the Agent.btz worm spread from a forward operations base in the Middle East throughout SIPRNet, the top secret military network. The cleanup effort, labeled Buckshot Yankee, took nine months and involved re-imaging millions of PCs at a cost of $1 billion. We can learn a few things by reading between the lines. In 2008 the Pentagon did not have device control systems deployed. We also know this from the way Bradley Manning ex-filtrated the State Department cables from a SCIF in Iraq by burning them to a Lady Gaga CD via USB port. In addition, we know that the Pentagon did not have the ability to remotely update its PCs as the operation was accomplished locally at each facility.
Note that the commander in charge of the Joint Functional Component Command for Network Warfare (JFCC-NW) that first saw Agent.btz crossing SIPRNet was Keith Alexander. As the military and federal government caught “cyber fever” and scrambled to shore-up defences there was also a land grab to claim the cyber domain. Then-Secretary of Defense Robert Gates addressed the scramble, directing the Air Force and Navy to stand aside and then combining JFCC-NW and the Joint Task Force- Global Network Operations (JTF-GNO, also led by Alexander). Gates eventually appointing Alexander to head U.S. Cyber Command in addition to the NSA.
But the parallel between the Pentagon and the measures that industry has been taking to address the rise of cybercrime, espionage, and attack, continues. The Pentagon came to the game late and reacted with uncommon speed to the threats that accompanied a move to NCW, but with one glaring omission.
Software assurance, the practice of designing and testing software to exclude vulnerabilities, has been apparently neglected completely by the Pentagon and the defense contractors that supply it with precision weapons, ISR, and command-and-control capabilities. With the famous Trustworthy Computing Memo written by Bill Gates, Microsoft embarked on a massive SA effort in 2002 when it became apparent that vulnerabilities in Windows and its applications represented an existential threat to its market. Software development was halted for a full year as every engineer was trained in the methods of code scanning and secure software design practices. While not perfect, that effort paid off eventually. Fifteen years later, the latest versions of Windows are relatively good.
The Pentagon made a mistake common to many manufacturers. They assumed that because their systems were proprietary and distribution was controlled there would be no hacking, no vulnerabilities discovered, and no patch-management cycles to fix them. This is security by obscurity, an approach that always fails over time.
Evidence of the lack of software assurance within the defense industrial base abounds. Drones in Iraq and Afghanistan sent their video feeds in the clear; something discovered when insurgent laptops were captured with drone videos on them. There is apparently no verification of GPS signal authenticity as drones have been captured by both Iran and North Korea by overwhelming GPS signals with spoofed information. And encryption keys are apparently accessible on those captured drones.
In one experiment run by the Air Force, three million lines of proprietary code were scanned for vulnerabilities. They found one “software vulnerability” per eight lines of code, one “high vulnerability” per 31 lines of code, and one “critical vulnerability” per 70 lines of source code.
Modern precision-weapon systems rely on software for target acquisition and flight control. The F-35 Joint Strike Fighter, the most sophisticated weapons platform ever built, contains 9 million lines of code with another 15 million lines of code in the logistics support system required to supply it with spare parts. Apply the above number for vulnerabilities and there exists potentially 128,000 critical vulnerabilities in the most expensive fighter jet in the U.S.’s arsenal.
Does security by obscurity hold for weapons platforms? Not if the adversary is actively engaging in cyber espionage to get copies of software source code. According to Ellen Nakashima, sources provided the Washington Post with a confidential report to the Pentagon that itemized over a dozen weapon systems that had suffered from Chinese cyber espionage. These included: the advanced Patriot missile system (PAC-3), the Terminal High Altitude Area Defense (THAAD), the Navy’s Aegis ballistic-missile defense system, the F/A-18 fighter jet, the V-22 Osprey, the Black Hawk helicopter, the newly minted Littoral Combat Ship, and yes, the F-35 Joint Strike Fighter.
Just as hacking of vulnerable systems has moved from widely deployed and relatively inexpensive Windows PCs to medical equipment, automobiles, and industrial control systems, the weapons platforms that are the basis of NCW are surely vulnerable and surely going to be targeted. When modernized militaries next engage in combat expect a debilitating cyber-attack, giving the adversary an asymmetric advantage.
So imagine a future altercation between the US Navy and that of China, perhaps in the contested South China Sea, or maybe in the Taiwan Straits. Further imagine that China uses GPS spoofing to misdirect the carrier based fighters sent out on sorties; or creates a fog of war by inserting conflicting comms into secure channels; or directly targets vulnerable weapons systems. The result could be a disaster. A military defeat via cyber attack.
This would be a Cyber Pearl Harbor.
Richard Stiennon has covered the IT security industry for 17 years. He is Chief Research Analyst at IT-Harvest. Follow him on Twitter @cyberwar